I recently committed a couple sample projects to the Kerberos.NET library that shows how you can authenticate a web-based Kerberos ticket. My choice of platform is OWIN middleware because it most closely resembles how things work in ASP.NET Core, without actually going full-core.

The key class to look at is KerberosEndToEndMiddleware. It contains the necessary logic to handle detection and prompting for authentication:

Keep in mind that this is rudimentary sample. It doesn’t detect or create sessions, so any unauthenticated requests will be prompted to authenticate. You can try the sample by just launching the KerberosMiddlewareEndToEndSample project. It’ll start a console app and begin listening on localhost:9000. You can immediately try browsing to http://localhost:9000/api/kerberosE2E and you’ll get prompted for a username and password.

This authentication request will fail. You’ll notice in the console app an error has appeared saying that NTLM isn’t supported. This is for a couple reasons:

You may not be a domain user, on a domain-joined machine — this should be obvious, but you must be a member of a domain to do Kerberos.

You don’t have a principal in AD with an SPN mapping to your localhost — this is less obvious, but Active Directory doesn’t know what key to use to encrypt the ticket, so it falls back.

Both of these problems are a little too complicated to solve here, so just go ahead and hit any key — it’ll kick off a negotiation dance:

Author Spotlight

Steve Syfuhs is a security software builder. He has spent the last decade building secure systems and is currently working at Microsoft as a Windows Identity Program Manager in OS Security. He was a Microsoft Developer Security MVP between 2011 - 2018.